Despite revision, cybersecurity rules for New York financial sector still have teeth
Other states could follow Empire State's lead with focus on data breach prevention
By Byron Acohido, ThirdCertainty
’Twas a few days before Christmas 2016, and the banking and insurance industries were in a tizzy.
The New York State Department of Financial Services was on the verge of spoiling the holidays for these verticals by implementing an unprecedented set of rules requiring financial services firms to adopt first-class cybersecurity policies and practices.
Related video: New York state shakes up security paradigm
Responding to eleventh-hour lobbying, NYDFS Superintendent Maria T. Vullo did concede to postpone implementation of her agency’s Cybersecurity Requirements for Financial Services Companies by three months—to March 1. And on Dec. 28, Vullo released a heavily revised set of rules, presumably aimed at ameliorating industry complaints.
However, the core of New York’s pioneering cybersecurity rules remains intact. If Vullo can actually pull off much-needed behavior change among the financial sector in the Empire State, then other states may be emboldened to follow her lead. Keep in mind these are rules issued by a state agency. State lawmakers had little to do with it.
ThirdCertainty asked four attorneys who have been closely monitoring this development to supply wider context. Weighing in below are Edward J. McAndrew, of Ballard Spahr; Richard Borden, of Robinson & Cole; and Thomas M. Dawson and Yuliya Feldman, of Drinker Biddle & Reath. (This text has been edited for clarity and length.)
ThirdCertainty: What is significant about New York standing its ground?
Dawson: The revised requirements provide greater flexibility, but leave in place a system that would be the first of its kind. Most cybersecurity regulation efforts focus on either providing a voluntary framework for evaluating cybersecurity risks, or prescribing remedial efforts after a data breach has occurred. New York seeks to impose comprehensive and specific cybersecurity requirements that are focused on preventing data breaches, such as multi-factor authentication and encryption.
McAndrew: Although it made some significant revisions, NYDFS retained the overall framework of the regulations. This shows the agency intends for these regulations to have teeth. This requires the creation, implementation and ongoing execution of a full-scale information security program that is proactive, risk-based and comprehensive. Yet it can also be tailored and responsive to actual cyber incidents and the constantly evolving cyber threat landscape.
3C: What are some key revisions?
McAndrew: Three big revisions caught my attention. First, the definition of what qualifies as “nonpublic information” has been significantly narrowed and now more closely tracks the New York data breach notification law. Second, the regulation governing third-party service providers has been rewritten to make clear that covered entities will not be required to audit the systems of all third-party service providers.
And third, the cybersecurity event notification obligation has been circumscribed. It only applies where an event triggers a notification obligation to a governmental, self-regulatory or supervisory entity, or creates a reasonable likelihood of materially harming any material part of the covered entity’s normal operations.
Feldman: The overall effective date was pushed back to March 1, and extended transitional periods for certain requirements were introduced. However, these new deadlines are still tight. The introduction of a risk-based approach now requires two separate steps—the risk assessment and implementation of the cybersecurity requirements taking the risk assessment conducted into account. Therefore, covered entities should begin planning soon, if they have not begun to do so already, to give themselves sufficient time to come into compliance.
3C: Doesn’t allowing a ‘risk-based’ approach give companies wiggle room?
Feldman: Companies can tailor their compliance to operational realities. As an extreme example, let’s say that a covered entity handled and stored all customer information internally and did not contract with third-party service providers. Under a risk-based approach, that firm would not have to establish a third-party security policy.
In less extreme cases, a risk-based approach allows companies to more efficiently allocate resources. They can fulfill those cybersecurity requirements that best address the particular cybersecurity risks that are riskiest for that particular entity.
Borden: This could actually increase requirements. For covered entities with less risk in certain areas, fewer controls must be in place. However, if significant risk is identified in a risk assessment, stronger controls will be required. Importantly, NYDFS has stated that the risk assessment is “not intended to permit a cost-benefit analysis of acceptable losses where an institution is faced with cybersecurity risks.”
The agency’s fundamental response, to put it colloquially, is “If you don’t like how we did it, then do a risk assessment that covers all the topics and come up with your own controls. But get it right, because in the event of a breach or an audit, you signed on the bottom line that you were in compliance.”
3C: Do you expect other states to follow New York’s example?
Borden: I have heard that regulators from a number of states are watching this regulation carefully. Some are considering broader adoption than just financial services companies. This could result in a patchwork of regulation that may be difficult for multi-state companies from a compliance standpoint.
Dawson: Other states are definitely watching this. We could see a possible balkanization of cybersecurity requirements that would be in no one’s interests. It will be interesting to see how the federal position develops in a possible small-government era in Washington, D.C.
I’d note, however, that in the banking sector, the Federal Reserve Board, the Federal Deposit Insurance Corp., and the Office of the Comptroller of the Currency issued an Advanced Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards late in 2016.
More stories related to cybersecurity in the financial sector:
$81 million cyber heist offers lessons for financial institutions
Small banks, credit unions on front lines of cybersecurity war